Zero day threat detection/prevention of cyber-attacks is a difficult task to accomplish given the wide variety of threat vectors that need to be addressed. A zero day (or zero hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch. Different approaches like firewall, client side agents, sand boxing, Uniform Resource Locator (URL)/domain based classification are utilized to detect/prevent cyber-attacks. URL/domain classification is a key mechanism to detect that a particular system has been infected, this works by comparing the domain name in the resource requested against a black list of domains and then performing an appropriate policy related action on that resource request. There are three weak links in this chain, the first being the URL/domain classification system, the state of which can get out of synchronization quickly with the real snap shot of the Internet giving the distributed nature of the network. Secondly, these changes need to be propagated to the upfront systems that feed off this classification and, thirdly, the classification system could completely misclassify a particular domain. The combination of the above can result in a window of opportunity for a cyber-security event like phishing, spam etc.
Fast flux is an advanced technique used to carry out sophisticated attacks like distributed denial-of-service (DDOS), phishing, malware distribution, etc. Fast flux is a Domain Name System (DNS) technique used by botnets, etc. to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. The basic idea behind Fast flux is to have numerous Internet Protocol (IP) addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS records. The simplest type of fast flux, named “single-flux”, is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short—usually less than five minutes (300 s) TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long. A more sophisticated type of fast flux, referred to itself as “double-flux,” is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS Name Server record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.
Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy server. This method prevents some of the traditionally best defense mechanisms from working—e.g., IP-based access control lists (ACLs). The method can also mask the systems of attackers, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxified, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place. More details about fast flux are available at www.honeynet.org/book/export/html/130.